California Enacts First IoT Security Law in U.S.

California Gov. Jerry Brown signed into law a first-of-its-kind bill to regulate cybersecurity standards for Internet of Things (IoT) devices. The legislation is simultaneously being lauded as a good first step in combatting rampant cybersecurity threats associated with the ubiquitous deployment of IoT devices—an estimated 20 billion devices by 2020—and criticized for what it excludes and its vaguely-worded standards. Regardless of how it is perceived, as the first state or federal law to address IoT security, it will effectively become a de facto standard for manufacturers of these devices.

Previously, security in the IoT industry has been largely self-regulated and governed by industry best practices, punctuated by Federal Trade Commission enforcement actions and guidance under its broad authority to police unfair or deceptive security practices. The Security of Connected Devices law changes all of that. California’s connected devices information privacy legislation requires manufacturers of IoT devices to: 

equip the device with a reasonable security feature or features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified.

Under the new law, a “connected device” includes “any device, or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.” This broad definition of covered products requires anyone making Internet-connected devices to comply.

The scope of coverage in the new law is limited to those parties with the ability to affect the design of these products given the definition of manufacturer. “Manufacturer” is defined as “the person who manufactures, or contracts with another person to manufacture on the person’s behalf, connected devices that are sold or offered for sale in California.” The law expressly excludes from the definition of “manufacturer” those who “contract only to purchase a connected device, or only to purchase and brand a connected device.” Critics of the legislation complain that this exclusion will exempt purchasers of “off-the-shelf” products manufactured abroad from complying with these new standards and effectively undermine the effectiveness of the law while creating an uneven competitive landscape. 

The new law recognizes some preemptive effect from federal regulatory efforts. It does not apply to any connected device that is otherwise “subject to security requirements imposed by federal law, regulations, or guidance promulgated by a federal agency pursuant to its regulatory enforcement authority,” such as products currently regulated by the Food and Drug Administration.

Further, manufacturers of IoT devices that are equipped with a means for authentication outside of a Local Area Network (or LAN) are expressly required to either: (1) create unique passwords for each device sold, or (2) if the manufacturer uses hard-coded passwords, then require the end-user to change the default password before the device can be used for the first time. With the exception of this provision, however, the new law does not otherwise establish specific standards for a “reasonable security feature.” Manufacturers should expect that the precise standards will be shaped in the courts and regulatory enforcement proceedings, particularly given the fast-pace changes in standard security practices. (Under the new law, authority to enforce its provisions rests exclusively with the State Attorney General, a city attorney, a county counsel, or a district attorney.)

California’s connected devices legislation also expressly provides that it does not do any of the following:

• Impose any duty on manufacturers of connected devices related to unaffiliated third-party software installed on the connected device by the end-user.
• Impose any duty on any electronic store, gateway, or marketplace for the purchasing and/or downloading of software or applications (e.g., app stores) to review or enforce compliance with the requirements of the new law.
• Impose any duty on the manufacturer of connected devices to prevent end-users from having full control over the connected device, including preventing the end-user from modifying the software or firmware running on the device.

Given the limitations of the California legislation, legal observers, industry groups, and consumer advocates are awaiting further movement on federal legislation of IoT device security. There are currently several bills proposed in the House and Senate, including:

• The Internet of Things Cybersecurity Improvement Act, which would require companies to provide certain assurances about the security of IoT devices sold to the federal government, including that the devices are free from known security vulnerabilities, are patchable, and do not have hard-wired passwords that cannot be changed. 
• The Securing IoT Act, which would require the Federal Communications Commission to update certification standards for wireless equipment to include cybersecurity standards.
• The Cyber Shield Act of 2017, which would create a voluntary program to identify and promote industry-leading cybersecurity standards, guidelines, procedures, and best practices for IoT devices.
• The SMART IoT Act and DIGIT Act, which both would require the Department of Commerce to study the IoT industry and federal regulation of the same. 

In addition to creating direct federal regulatory oversight of IoT devices, several of these bills, if enacted, would help clarify what “reasonableness” means under the California connected devices law.

California’s new IoT regulations will take effect on January 1, 2020.